RE: Iptables can't close port 25 and 110

To: "Ronald Laarman" <ronald@laarman.xs4all.nl>, debian-firewall@lists.debian.org
Subject: RE: Iptables can't close port 25 and 110
From: "Raffaele D'Elia" <R.DElia@starcomitalia.com>
Date: Mon, 26 Jan 2004 22:50:43 +0100
Message-id: <[🔎] WorldClient-F200401262250.AA50430051@starcomitalia.com>
Reply-to: R.DElia@starcomitalia.com
In-reply-to: <[🔎] 485B1A23A33447408D64DC6E8BA8BDA7AD06@dc001.mydomain.local>
References: <[🔎] 485B1A23A33447408D64DC6E8BA8BDA7AD06@dc001.mydomain.local>

-----Original Message-----
From: "Ronald Laarman" <ronald@laarman.xs4all.nl>
To: <debian-firewall@lists.debian.org>
Cc: <R.DElia@starcomitalia.com>
Date: Mon, 26 Jan 2004 21:48:08 +0100
Subject: RE: Iptables can't close port 25 and 110

> I'm not running NAT or TOS, the nat and mangle modules aren't loaded,
> so
> I guess the tables don't exist either. It's a single homed server.
> 
> Iptables is configures as followed:
> 
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
> REJECT     tcp  --  anywhere             anywhere           tcp
> dpt:smtp
> reject-with icmp-port-unreachable
> 
> Chain FORWARD (policy DROP)
> target     prot opt source               destination
> 
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
> 
> 
> 
> When running NMAP to scan port 25, tcpdump generates the following
> output:
> 
> 21:09:51.034830 10.0.0.13.4873 > 10.0.0.4.smtp: S 29225080:29225080(0)
> win 64240 <mss 1460,nop,nop,sackOK> (DF)
> 21:09:51.034891 10.0.0.4 > 10.0.0.13: icmp: 10.0.0.4 tcp port smtp
> unreachable [tos 0xc0]
> 21:09:51.035143 10.0.0.4.34627 > SpeedTouch.lan.domain:  44052+ PTR?
> 13.0.0.10.in-addr.arpa. (40) (DF)
> 21:09:51.035888 SpeedTouch.lan.domain > 10.0.0.4.34627:  44052 0/0/0
> (40)
> 
> The following output is generated when I scan port 199 (I added a
> reject
> rule offcourse):
> 
> 21:25:02.267951 10.0.0.13.4907 > 10.0.0.4.smux: S
> 259491857:259491857(0)
> win 64240 <mss 1460,nop,nop,sackOK> (DF)
> 21:25:02.268013 10.0.0.4 > 10.0.0.13: icmp: 10.0.0.4 tcp port smux
> unreachable [tos 0xc0]

But nmap recognize port 25 opened and 199 closed.

What kind of scan are you doing?

Try tcpdump on the sender host too. The packets looks the same? May be 
the sending host is mangling the packets somwhere in the path from the 
server to the client.

Radel

**************************************************************************
Questo messaggio puo' contenere informazioni di carattere estremamente
riservato e confidenziale.
Qualora non foste i destinatari, vogliate immediatamente informarci
con lo stesso mezzo ed eliminare il messaggio, con gli eventuali allegati,
senza trattenerne copia. Qualsivoglia utilizzo non autorizzato del
contenuto di questo messaggio costituisce violazione dell'obbligo di non
prendere cognizione della corrispondenza tra altri soggetti, salvo piu'
grave illecito, ed espone il responsabile alle relative conseguenze civili
e penali.

This message is being sent from Starcom Italia Srl and may
contain information which is confidential or privileged.  If you are not
the intended recipient, please advise the sender immediately by reply
e-mail and delete this message and any attachments without retaining a
copy. Any unauthorized use of the content of this message is a breach of
your duty to respect the confidentiality of the correspondence between
other persons and can expose the responsible party to civil and/or
criminal penalties, and may constitute a more serious offense.
**************************************************************************

Reply to:

References:
- RE: Iptables can't close port 25 and 110
  - From: "Ronald Laarman" <ronald@laarman.xs4all.nl>

Prev by Date: RE: Iptables can't close port 25 and 110
Next by Date: RE: Iptables can't close port 25 and 110
Previous by thread: RE: Iptables can't close port 25 and 110
Next by thread: Re: Iptables can't close port 25 and 110
Index(es):
- Date
- Thread